VPN using ip with NAT outside
I am trying to configure a tunnel linking our Cisco 5520 with a 5550 using one of our external ips through that tunnel natted. For some reason any traffic that should knock this tunnel through global NAT. Here are the configs I have for this tunnel:
access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4
Outside_cryptomap_60 list extended access allowed inside-network host 255.255.254.0 ip 1.2.3.4
permit Outside_cryptomap_60 to access extended list ip host 66.85.99.170 1.2.3.4
Global (1 66.77.88.135 255.255.255.192 subnet mask outside)
public static 66.77.88.170 (inside, outside) - list of access policy-nat
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANSFORM_SET
crypto Outside_map 60 card matches the address Outside_cryptomap_60
card crypto Outside_map 60 set peer 200.200.200.200
card crypto Outside_map 60 the transform-set TRANSFORM_SET value
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 General attributes
Group Policy - by default-site2site
IPSec-attributes tunnel-group 200.200.200.200
pre-shared key *.
If I ping 1.2.3.4 from an inside host ip I see in the newspapers that he uses 66.77.88.136 as the NAT and not of 66.77.88.170. Do you see something wrong with this configuration?
You have fundamentally wrong ACL in the wrong places.
It should be as follows--->
crypto Outside_map 60 card matches the address policy-nat
card crypto Outside_map 60 set peer 200.200.200.200
card crypto Outside_map 60 the transform-set TRANSFORM_SET value
access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4
public static 66.77.88.170 (inside, outside) - Outside_cryptomap_60 access list
Outside_cryptomap_60 list extended access allowed inside-network ip 255.255.254.0 host 1.2.3.4---> this acl has no need of the 2nd line, you have
Tags: Cisco Security
Similar Questions
-
VPN using hotspot with ios 10 does not
I often work off site and use my iPhone AT & T s 6 to attach my work Windows 10 Pro (processor ASUS T300CHI) Tablet. Although many places I work have Wifi, most only allow VPN I need to connect to my work server. After updating ios 10 (I'm on 10.0.1), I did have problems engaging, but VPN doesn't work anymore.
VPN integrated Windows 10 Pro on my Tablet has an automatic configuration that appears to detect the type of configuration (IKEv2/IPSec/PPTP/L2TP, etc.) and you just put in user name and password. According to my dept IT, the VPN connection in the office not only supports PPTP (I understand has been disabled with ios 10) but also supports IKEv2 and L2TP/IPSec. Nevertheless, I always left configuration VPN on Windows 10 in auto. I tried selecting the connection type, but it did not work either. Generally I get the error "failure of VPN tunnels.
Any thoughts would be appreciated
MattyBH,
Please keep us informed if you were able to solve this problem. I also have the same problem since the update iOS10. I think it has to do with Apple, removing the IOS10 PPTP protocol... I was able to confirm the conclusion of downgrading to previous IOS 9.3 and my VPN works very well, unfortunately my users with iPHONE7 cannot sink their IOS and now can not access VPN through hotspots iOS10
-
IOS - help with VPN IPsec L2L with NAT
Hello guys
I tried to get VPN to work for a specific scenario where I do NAT for VPN traffic to avoid the duplication of subnet.
I found several guides on cisco.com, but all the ones I found does not (or how) overload NAT (for internet traffic), I need for my setup.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800b07ed.shtml
http://www.Cisco.com/en/us/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Basically, I need to know how the configuration looks like when make you static NAT in a VPN tunnel as well as provide internet connectivity using NAT in the same router?
I have attached a drawing that needs to better explain my needs.
Someone knows a guide that shows how to do this?
Best regards
Jesper
You can use a static policy NAT NAT the traffic:
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
policy-NAT allowed 10 route map
corresponds to the IP 101
internet-NAT allowed 10 route map
corresponds to the IP 102
IP nat inside source static network 10.0.0.0 road policy-NAT 10.30.10.0/24-feuille
IP nat inside source map route internet-NAT interface overloading
Hope that helps.
-
Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.
http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
Thank you.
Mike
It's not very complicated, just keep in mind that NAT is done before the encryption.
So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:
public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0
You can use the address translated into your crypto-ACL:
REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0
I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.
Sent by Cisco Support technique iPad App
-
Application of VPN S2S (with NAT)
Hello experts,
ASA (8.2) and standard Site 2 Site Internet access related configs.
Outside: 1.1.1.1/24-> peer IP VPN S2S.
Inside: Pvt subnets
Standard "Nat 0' orders and crypto ACL for our remote offices, local networks with IP whp program.
Requirement:
Need to connect the PC to external clients (3.3.3.3 & 4.4.4.4) on tcp/443 via vpn S2S on our LAN. Client only accepts only the host with public IPs.
I need NAT to my internal IP to the public IP say 1.1.1.2 and establish the VPN tunnel between 1.1.1.1-> PRi Client-side & secondary IPs (Cisco router).
(without losing connectivity to remote offices). No policy NAT work here?
ex:
My Intern: 10.0.0.0/8 and 192.168.0.0/16
Assigned IP available for NAT (some time to connect to the client only): 1.1.1.5External client LAN IPs: 3.3.3.3 & 4.4.4.4
PAT: permit TOCLIENT object-group MYLAN object-group CUSTOMER LAN ip extended access-list
NAT (inside) 5-list of access TOCLIENT
5 1.1.1.5 (outside) global
Crypto: tcp host 1.1.1.5 allowed extended CRYPTO access list object-group CUSTOMER LAN eq 443Outsidemap 1 crypto card matches the address CRYPTO
Customer will undertake to peer with IP 1.1.1.1 only.Do I need a ' Nat 0' configs here?
Also, for the specifications of the phase 2, it is not transform-set options gives. Info given was
Phase2: AH: people with mobility reduced, life: 3 600 s, PFS: disabled, LZS Compression: disabled.
This works with options of the phase 2?Thanks in advance
MS
Hello
«Existing NAT (inside) 1
& global (outside) does not interfere with NAT 5 when users try to reach the ClientLAN.» Your inside nat index is '1', while the dynamic policy-nat is index '5 '.
"" For the phase 2 in general, we define Crypto ipsec transform-set TEST
". Sure, the remote tunnel peers even accept transform set, everything you put up with the example below and distant homologous put the same tunnel.
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
"In this scenario, no need to define any what
and just add empty transform don't set statement under card crypto? No you need a defined transformation.
"3. If we want to limit the destination port 443, I need to use separate VPN filters?
That's right, use a vpn-filter.
"4. we have several phase 1 configs, but wanted to use AES256 & DH5 (new policy)"... for s2s, these options work fine. ""
Of course, you have set the phase 1, as required.
Thank you
Rizwan James
-
IOS VPN with NAT need help with ACL?
What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.
I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.
I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!
Thank you very much.
----------
Current configuration: 5508 bytes
!
! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
IP domain name mondomaine.fr
name of the IP-server 199.13.28.12
name of the IP-server 199.13.29.12
!
IP inspect the audit trail
IP inspect high 1100 max-incomplete
IP inspect a high minute 1100
inspect the tcp IP Ethernet_0_1 name
inspect the IP udp Ethernet_0_1 name
inspect the IP name Ethernet_0_1 cuseeme
inspect the IP name Ethernet_0_1 ftp
inspect the IP h323 Ethernet_0_1 name
inspect the IP rcmd Ethernet_0_1 name
inspect the IP name Ethernet_0_1 realaudio
inspect the IP name smtp Ethernet_0_1
inspect the name Ethernet_0_1 streamworks IP
inspect the name Ethernet_0_1 vdolive IP
inspect the IP name Ethernet_0_1 sqlnet
inspect the name Ethernet_0_1 tftp IP
inspect the IP name Ethernet_0_1 http java-list 99
inspect the name Ethernet_0_1 rtsp IP
inspect the IP name Ethernet_0_1 netshow
inspect the tcp IP Ethernet_0_0 name
inspect the IP name Ethernet_0_0 ftp
inspect the IP udp Ethernet_0_0 name
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
ISAKMP crypto nat keepalive 20
!
ISAKMP crypto client configuration group vpngroup
xxxxxxxxx key
DNS 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
ACL 110
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
MTA receive maximum-recipients 0
!
!
interface Ethernet0/0
Description connected to the Internet
IP 199.201.44.198 255.255.255.248
IP access-group 101 in
NAT outside IP
inspect the IP Ethernet_0_0 in
no ip route cache
no ip mroute-cache
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface Ethernet0/1
Connected to the private description
IP 192.168.1.254 255.255.255.0
IP access-group 100 to
IP nat inside
inspect the IP Ethernet_0_1 in
Half duplex
!
IP local pool vpnpool 192.168.2.201 192.168.2.210
period of translation nat IP 119
!!
!! -removed the following line for VPN configuration
!! IP nat inside source list 1 interface Ethernet0/0 overload
!! -replaced by the next line...
IP nat inside source map route sheep interface Ethernet0/0 overload
IP nat inside source 192.168.1.1 static 199.201.44.197
IP classless
IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
IP http server
7 class IP http access
local IP http authentication
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 refuse any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 refuse any
access-list 99 refuse any
access-list 100 permit udp any eq rip all rip eq
access-list 100 permit tcp 192.168.1.1 host any eq www
access-list 100 permit ip 192.168.1.1 host everything
access list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip 192.168.1.2 host everything
access-list 100 deny ip 192.168.1.253 host everything
access ip-list 100 permit a whole
access-list 101 deny host ip 199.201.44.197 all
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access list 101 ip allow any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 115
!
Line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line to 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
NTP-period clock 17208655
source NTP Ethernet0/0
peer NTP access-Group 5
NTP 7 use only group-access
NTP master 3
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
!
end
----------
Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.
For what is 192.168.1.1, because you have this:
> ip nat inside source 192.168.1.1 static 199.201.44.197
It substitutes for this:
> ip nat inside source map route sheep interface Ethernet0/0 overload
for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:
loopback interface 0
IP 1.1.1.1 255.255.255.0
interface ethernet0/1
Static IP policy route map
permissible static route map 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255
-
L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR
I configured a VPN L2L on a Cisco 1841 ISR. I'm statically from some of my internal hosts to IPS that are included in encrypted traffic. Please note that not all internal hosts are underway using a NAT. I am doing this for hidden some of the actual IP addresses on the inside network. I confirmed that the VPN works as well as natives of VPN traffic. I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841. I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration. All comments are welcome.
VPN-RTR-01 #show run
Building configuration...Current configuration: 9316 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname VPN-RTR-01
!
boot-start-marker
boot-end-marker
!
! type map necessary for vwic/slot-slot 0/0 control
logging buffered 51200 warnings
no console logging
enable secret 5 xxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
Crypto pki trustpoint TP-self-signed-2010810276
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2010810276
revocation checking no
rsakeypair TP-self-signed-2010810276
!
!
TP-self-signed-2010810276 crypto pki certificate chain
certificate self-signed 01
30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
DD29E815 E9F90877 4 D 68
quit smoking
username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
!
!
!
!
crypto ISAKMP policy 5
BA aes 256
preshared authentication
Group 2
lifetime 28800
xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
!
card crypto SITES REMOTE VPN-ipsec-isakmp 1
defined by peer 172.21.0.1
game of transformation-ESP-AES256-SHA
match address VPN-REMOTE-SITE
!
!
!
interface FastEthernet0/0
no ip address
automatic speed
full-duplex
No mop enabled
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.2
Description $FW_INSIDE$
encapsulation dot1Q 61
IP 10.1.0.34 255.255.255.224
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0.3
Description $FW_OUTSIDE$
encapsulation dot1Q 111
IP 172.20.32.17 255.255.255.224
IP access-group 101 in
Check IP unicast reverse path
NAT outside IP
IP virtual-reassembly
crypto VPN-REMOTE-SITE map
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 172.20.32.1
IP route 10.16.0.0 255.255.0.0 10.1.0.33
IP route 10.19.0.0 255.255.0.0 10.1.0.33
IP route 10.191.0.0 255.255.0.0 10.1.0.33
IP route 10.192.0.0 255.255.0.0 10.1.0.33
IP route 192.168.20.48 255.255.255.240 10.1.0.33
!
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
!
VPN-REMOTE-SITE extended IP access list
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
inside_nat_static_1 extended IP access list
permit ip host 10.192.1.1 10.174.52.39
permit ip host 10.192.1.1 10.174.52.40
refuse an entire ip
inside_nat_static_2 extended IP access list
permit ip host 10.192.1.2 10.174.52.39
permit ip host 10.192.1.2 10.174.52.40
refuse an entire ip
inside_nat_static_3 extended IP access list
permit ip host 10.192.1.3 10.174.52.39
permit ip host 10.192.1.3 10.174.52.40
refuse an entire ip
inside_nat_static_4 extended IP access list
permit ip host 10.192.1.4 10.174.52.39
permit ip host 10.192.1.4 10.174.52.40
refuse an entire ip
inside_nat_static_5 extended IP access list
permit ip host 10.192.1.5 10.174.52.39
permit ip host 10.192.1.5 10.174.52.40
refuse an entire ip
inside_nat_static_6 extended IP access list
permit ip host 10.16.1.6 10.174.52.39
permit ip host 10.16.1.6 10.174.52.40
refuse an entire ip
inside_nat_static_7 extended IP access list
permit ip host 10.191.0.11 10.174.52.39
permit ip host 10.191.0.11 10.174.52.40
refuse an entire ip
inside_nat_static_8 extended IP access list
permit ip host 10.191.0.12 10.174.52.39
permit ip host 10.191.0.12 10.174.52.40
refuse an entire ip
!
access-list 100 remark self-generated by the configuration of the firewall SDM
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 172.20.32.0 0.0.0.31 all
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
Remark SDM_ACL category of access list 101 = 17
access-list 101 permit udp any host 192.168.20.62
access-list 101 permit tcp any host 192.168.20.62
access-list 101 permit udp any host 192.168.20.61
access-list 101 permit tcp any host 192.168.20.61
access-list 101 permit udp any host 192.168.20.59
access-list 101 permit tcp any host 192.168.20.59
access-list 101 permit udp any host 192.168.20.58
access-list 101 permit tcp any host 192.168.20.58
access-list 101 permit udp any host 192.168.20.57
access-list 101 permit tcp any host 192.168.20.57
access-list 101 permit udp any host 192.168.20.56
access-list 101 permit tcp any host 192.168.20.56
access-list 101 permit udp any host 192.168.20.55
access-list 101 permit tcp any host 192.168.20.55
access-list 101 permit udp any host 192.168.20.54
access-list 101 permit tcp any host 192.168.20.54
access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
access-list 101 permit esp 172.21.0.1 host 172.20.32.17
access-list 101 permit ahp host 172.21.0.1 172.20.32.17
access-list 101 permit icmp any host 172.20.32.17 - response
access-list 101 permit icmp any host 172.20.32.17 time limit
access-list 101 permit icmp any unreachable host 172.20.32.17
access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
access-list 101 permit tcp any host 172.20.32.17 eq 443
access-list 101 permit tcp any host 172.20.32.17 eq 22
access-list 101 permit tcp any host 172.20.32.17 eq cmd
access-list 101 deny ip 10.1.0.32 0.0.0.31 all
access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
access-list 101 deny ip 172.16.0.0 0.15.255.255 all
access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
access-list 101 deny ip 255.255.255.255 host everything
access-list 101 deny host ip 0.0.0.0 everything
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
access-list 102 permit ip 10.1.0.32 0.0.0.31 all
!
allowed NO_NAT 1 route map
corresponds to the IP 102
!
STATIC_NAT_8 allowed 10 route map
inside_nat_static_8 match ip address
!
STATIC_NAT_5 allowed 10 route map
inside_nat_static_5 match ip address
!
STATIC_NAT_4 allowed 10 route map
inside_nat_static_4 match ip address
!
STATIC_NAT_7 allowed 10 route map
inside_nat_static_7 match ip address
!
STATIC_NAT_6 allowed 10 route map
inside_nat_static_6 match ip address
!
STATIC_NAT_1 allowed 10 route map
inside_nat_static_1 match ip address
!
STATIC_NAT_3 allowed 10 route map
inside_nat_static_3 match ip address
!
STATIC_NAT_2 allowed 10 route map
inside_nat_static_2 match ip address
!
!
!
control plan
!
!
!
Line con 0
exec-timeout 30 0
line to 0
line vty 0 4
privilege level 15
local connection
transport input telnet ssh
line vty 5 15
privilege level 15
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
endVPN-RTR-01 #.
Hello
Configuration looks ok to me.
yet you can cross-reference with the following link:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
-
Cisco ASA VPN Site to Site WITH NAT inside
Hello!
I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.
A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)
The local host have 192.168.200.254 as default gateway.
I can't add static route to all army and I can't add static route to 192.168.200.254.
NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?
If my host sends packet to exit to the default gateway.
Thank you for your support
Best regards
Marco
The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:
permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0
NAT (outside) X VPN_NAT outside access list
Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address
If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.
See if it works for you, else post your config nat here.
-
IOS IPSEC VPN with NAT - translation problem
I'm having a problem with IOS IPSEC VPN configuration.
/*
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
ISAKMP crypto keys TEST123 address 205.xx.1.4
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN
!
!
Map 10 CRYPTO map ipsec-isakmp crypto
the value of 205.xx.1.4 peer
transformation-CHAIN game
match address 115
!
interface FastEthernet0/0
Description FOR the EDGE ROUTER
IP address 208.xx.xx.33 255.255.255.252
NAT outside IP
card crypto CRYPTO-map
!
interface FastEthernet0/1
INTERNAL NETWORK description
IP 10.15.2.4 255.255.255.0
IP nat inside
access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution that I'm looking for:
When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.
For more information, see "SCHEMA ATTACHED".
Any help is greatly appreciated!
Thank you
Clint Simmons
Network engineer
You can try the following NAT + route map approach (method 2 in this link)
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thank you
Raja K
-
LAN to LAN VPN with NAT - solved!
Hello world
I have problems with a VPN L2L is implemented and logged, however when traffic comes from the other side of the tunnel it is not the host to internal network using a static NAT. Inside host 172.18.30.225 is current NATted to yyy.30.49.14 which is an IP address on the DMZ (yyy.30.49.0 255.255.255.240) Interface.
Here is the configuration
object-group network NET Tunnel
network-host xxx.220.129.134 objectAccess tunnel list - extended ACL permit ip host yyy.30.49.14 object-group NET Tunnel
correspondence address card crypto MAP_Tunnel 20 Tunnel-ACL
the Tunnel-iServer-NAT object network
Home yyy.30.49.14
network of the Tunnel and drop-in iServer object
Home 172.18.30.225network of the Tunnel and drop-in iServer object
NAT (internal, DMZ) static Tunnel-iServer-NATI hope that it is enough for someone to help me.
Thank you
M
Version 8.3.1 ASA
Post edited by: network operations
The internal host does live on the network DMZ or internal? If she lives on the internal network, you can not NAT to the DMZ to interface and make it out of the external Interface, assuming that the external interface is the interface of VPN endpoint. If you terminate the VPN on the DMZ interface and the internal host lives on the internal network, then that's fine.
-
Validation of the IOS VPN peer identity IP with NAT - T
I just lost a lot of time to understand this behavior of the IOS. My conclusion reached: If you work with the good old peer identity address validation in profiles ISAKMP and the peer you are talking about is located behind a NAT, you must use the private IP address of the peer in the command "adapter address of the identity". I thought that NAT - T takes care of the translation in all sections of required configuration, but here especially, seems not so much. The interesting thing is that for all other orders, you must use the public IP address.
See the following example (showing only the relevant articles with statements by peer inside):
door-key crypto OUR_KEYRING
key pre-shared key address 1.2.3.4
Crypto isakmp PROFILE_NAME profile
VRF TEST
key ring OUR_KEYRING
function identity address 192.168.99.5 255.255.255.255
OUR_MAP 6 ipsec-isakmp crypto map
defined peer 1.2.3.4
the value of PROFILE_NAME isakmp-profile
Does anyone know if this is normal or if it is a bug? It would be useful and consistent if NAT - T changed the identity of the peer address during the phase 1 negotiation, then we would not deal with peer private addressing within site to site VPN configs. I also think of IP scenarios that overlap that may occur when you work with dealing with private peer.
See the release of relevant debugging in the attachment, after documenting a failed connection attempt (using the public, NATted IP of the peer in the command 'fit the address of identity') and once a following connection attempt (using the IP private, internal counterpart).
My router is a C2951 with IOS 15.3 (2) T2. The counterpart is an ASA (version & unknown config so far, but I'm sure that the other engineer did not indicate what it is using a private address in its config, despite my session from behind a NAT router, too).
Thank you & best regards
Toni
Toni,
Problem with identity is that it is an encrypted package (in Exchange MM) so cannot be changed in transit, so that a host may not know reliably it is the external IP address (it can make assumptions, but he doesn't know how long it is valid for).
Also if you "NAT 'd" identity you can't the difference between two devices behind same NAT/PAT on end of answering machine.
There are some implmentations IKE allowing IKE to identity type and value to specify manually. IOS not among them.
Yes decouple us identity and peer of the intellectual property, it adds flexability with a few corner cases which may arrise.
Yet another reason why NAT is evil?
M.
-
Cisco Asa vpn site-to-site with nat
Hi all
I need help
I want to make a site from the site with nat vpn
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24I want when site A to site B, either by ip 172.26.0.0/24
Here is my configuration
inside_nat_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key!ISAKMP retry threshold 10 keepalive 2
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
card crypto outside_map 2 match address inside_nat_outboundcard crypto outside_map 2 pfs set group5
card crypto outside_map 2 peers set x.x.x.xcard crypto outside_map 2 game of transformation-ESP-AES-256-SHA
NAT (inside) 10 inside_nat_outbound
Global 172.26.0.1 - 172.26.0.254 10 (outside)
but do not work.
Can you help me?
Concerning
Frédéric
You must ensure that there is no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
Global 172.26.0.1 - 172.26.0.254 10 (outside)
NAT (inside) 10 access-list nattoyr
Because it will be replaced by the static NAT.
In a Word is enough:
nattoyr to access ip 10.0.0.0 scope list allow 255.255.255.0 10.1.252.0 255.255.255.0
access extensive list ip 172.26.0.0 vpntoyr allow 255.255.255.0 10.1.252.0 255.255.255.0
public static 172.26.0.0 (inside, outside) - nattoyr access list
card crypto outside_map 2 match address vpntoyr
card crypto outside_map 2 pfs set group5
card crypto outside_map 2 defined peer "public ip".
card crypto outside_map 2 game of transformation-ESP-AES-256-SHA
outside_map interface card crypto outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared key *.
-Make sure that it not there no NAT ACL 0 including the above statements and check if NAT happening (sh xlate) and the
traffic is being encryption (sh cry ips its)
Federico.
-
Traffic from internal hosts will NAT address works ok, but what speaks tests it traffic never connects.
get the 10.1.12.232 NAT host would be 172.27.63.133 and past through the VPN tunnel to 10.24.4.65 without problem. However when 10.24.4.65 tries to ping or connect to 172.27.63.133 traffic does not make inside host 10.1.12.232
ASA-1 #.
!
network object obj - 172.27.73.0
172.27.73.0 subnet 255.255.255.0
network object obj - 172.27.63.0
172.27.63.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.24.4.64
subnet 10.24.4.64 255.255.255.224
network object obj - 172.27.73.0 - 172.27.73.255
range 172.27.73.0 172.27.73.255
the object of the 10.0.0.0 network
subnet 10.0.0.0 255.0.0.0
network object obj - 24.173.237.212
Home 24.173.237.212
network object obj - 10.1.12.232
Home 10.1.12.232
network object obj - 172.27.63.133
Home 172.27.63.133
the DM_INLINE_NETWORK_9 object-group network
object-network 10.0.0.0 255.255.255.0
object-network 10.0.11.0 255.255.255.0
object-network 10.0.100.0 255.255.255.0
object-network 10.0.101.0 255.255.255.0
object-network 10.0.102.0 255.255.255.0
object-network 10.0.103.0 255.255.255.0
the DM_INLINE_NETWORK_16 object-group network
object-network 10.1.11.0 255.255.255.0
object-network 10.1.12.0 255.255.255.0
object-network 10.1.13.0 255.255.255.0
object-network 10.1.3.0 255.255.255.0
!
outside_1_cryptomap list extended access permitted ip object-group DM_INLINE_NETWORK_16-group of objects DM_INLINE_NETWORK_9
access extensive list ip 172.27.73.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
access extensive list ip 172.27.63.0 outside_8_cryptomap allow 255.255.255.0 10.24.4.64 255.255.255.224
!
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 172.27.63.0 255.255.255.0
list of allowed outside access extended ip 10.24.4.64 255.255.255.224 10.1.0.0 255.255.0.0
list of allowed outside access extended ip 172.27.63.0 255.255.255.0 10.1.0.0 255.255.0.0
!
NAT (inside, all) source static obj - 172.27.73.0 obj - 172.27.73.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 172.27.63.0 obj - 172.27.63.0 destination static obj - 10.24.4.64 obj - 10.24.4.64 no-proxy-arp-search to itinerary
NAT (inside, outside) source dynamic obj - 10.66.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.70.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.228.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.96.229.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 192.168.5.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.75.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.11.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source static obj - 10.1.3.37 obj - 10.71.0.37 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.3.38 obj - 10.71.0.38 destination static obj - 50.84.209.140 obj - 50.84.209.140
NAT (inside, outside) source static obj - 10.1.12.232 obj - 172.27.63.133 destination static obj - 10.24.4.64 obj - 10.24.4.64
NAT (inside, outside) source dynamic obj - 10.1.0.0 obj - 172.27.73.0 - 172.27.73.255 destination static obj - 10.24.4.64 obj - 10.24.4.64
!
NAT (exterior, Interior) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232
NAT (outside, outside) source static obj - 10.24.4.64 obj - 10.24.4.64 destination static obj - 172.27.63.133 obj - 10.1.12.232the object of the 10.0.0.0 network
NAT (inside, outside) dynamic obj - 24.173.237.212
!
NAT (VendorDMZ, outside) the after-service automatic source dynamic obj - 192.168.13.0 obj - 24.173.237.212
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 24.173.237.209 1
Route inside 10.1.0.0 255.255.0.0 10.1.10.1 1
Route inside 10.2.1.0 255.255.255.248 10.1.10.1 1
!
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-DH2-esp-3des esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
!
card crypto GEMed 8 corresponds to the address outside_8_cryptomap
card crypto GEMed 8 set peer 64.245.57.4
card crypto GEMed 8 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5
GEMed outside crypto map interface
!
: end
ASA-1 #.Hello
First of all, I would like to remove these two lines because they do nothing productive
nat (outside,inside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232nat (outside,outside) source static obj-10.24.4.64 obj-10.24.4.64 destination static obj-172.27.63.133 obj-10.1.12.232
Then, I was running packet - trace to see what NAT rule actually hit you.packet-tracer input inside 10.1.12.232 12345 10.24.4.65 12345
-
How to establish a tunnel vpn ipsec using DNS with ASA 5505?
Hello
I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...
How can I establish a vpn ipsec using DNS? For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.
Private private Public IP IP IP
PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-
Kind regards!
Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.
Kind regards.
PS: Don't forget to mark this question as answered. Thank you!
Maybe you are looking for
-
Can't Flash BIOS for Satellite A100 - 162 PSAA9E
Hi all, I tried flashing my BIOS of the laptop but it always restart when it comes to flashing phase. I use the WinPhlash of + "drivers & Bios +.
-
I searched in vain for answers to my question, can anyone help? My monitor LCDS240HLBID goes into sleep mode when the PC is turned off, is there an off button to monitor?
-
I'm not a map of Blackberry, I use the phone via a prepaid sim (it's by Optus in Australia). I have correctly set up Wi - Fi and it accessible from several different places (work at home, etc.). I would like to configure e-mail so that it is only thr
-
Cannot access the card reader/writer internal Flash
After a few updates, I can access is no longer any SD card inserted into the card reader/writer Flash. I tried to use the convenience store but just that said there is no problem found. When I insert the SD card, it appears in the 'control Panel\Hard
-
Not able to change the recommendation
Hi Experts,I imported an existing sites on my local. It worked fine on the previous machine, but on my local when I try to edit a recommendation, printing code javascript. Rasthaus Ref file.Any body can tell me why I am facing this problem.Kind regar